Internet
Productivity Suite: Open Source Security - Trust Internet Productivity
Suite's open source architecture to give you the best security and productivity
applications available. Collaborating with thousands of developers, Guardian Digital
security engineers implement the most technologically advanced ideas and methods
into their design. LINUX ADVISORY
WATCH - This week, perhaps the most interesting articles include cacti, heimdal,
webcalendar, ekg, phpbb2, setarch, openoffice, pvm, fetchmail, mozilla,devhelp,
yelp, subversion, zlib, kdenetwork, perl, module-init-tools, mgetty, system-config-netboot,
libsepol, gnbc-kernel, dlm-kernel, cman-kernel, util-linux, tar, gcc, libtool,
audit, zlib, apr, pam_ldap, fetchmail, sandbox, Koptete, Clam, Ethereal, cpio,
kdenetwork, httpd, and dhcpd. The distributors include Debian, Fedora, Gentoo,
and Red Hat.
LinuxSecurity.com
Feature Extras:
Linux File
& Directory Permissions Mistakes - One common mistake Linux administrators
make is having file and directory permissions that are far too liberal and
allow access beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this article,
so I'll assume you are familiar with the usage of such tools as chmod, chown,
and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Introduction:
Buffer Overflow Vulnerabilities - Buffer overflows are a leading type
of security vulnerability. This paper explains what a buffer overflow is,
how it can be exploited, and what countermeasures can be taken to prevent
the use of buffer overflow vulnerabilities.
Getting
to Know Linux Security: File Permissions - Welcome to the first
tutorial in the 'Getting to Know Linux Security' series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Single photons distributed for quantum
cryptography
26th, July, 2005
Japanese Nippon Telegraph and Telephone Corp. (NTT) has successfully
demonstrated the quantum cryptography with a single photon can be realised
in the photonic network of optical fibres. The quantum cryptography is
expected to be the last resort of the cryptography protocol, and to enhance
enormously the safety of transmitting information.
Forty-five percent of corporate chief security officers believe
a "digital Pearl Harbor" will take place eventually, with 13 percent anticipating
such an attack within a year, according to a survey by CSO Magazine.
'Critical' Kerberos Flaws Could Open
Networks to Attack
28th, July, 2005
Kerberos, the popular authentication protocol developed by the
Massachusetts Institute of Technology, is vulnerable to three serious
flaws that could allow an attacker to gain access to protected corporate
networks, MIT researchers disclosed late on Tuesday.
Linux Network Security Higher than Other
Platforms
29th, July, 2005
"There are many research reports that try to compare the number
of vulnerabilities between Linux and other operating systems but none
take into account the severity of the issues." said Mark Cox head of the
Red Hat security response team, "This report shows there are relatively
few critical issues affecting users of Linux based operating systems.
However, we believe even one is unsatisfactory, and our strategy is to
rapidly respond to fix these issues whilst innovating new technology to
reduce the risk of future issues."
One can only imagine what raced through Michael Lynn's mind
the penultimate moment before he saved or sacrificed our nation's critical
infrastructure, depending on your take of the researcher's Black Hat Briefings
presentation this week.
Cisco Systems Inc. on Friday confirmed that a security hole
in its Internetwork Operating System could be exploited by remote attackers
to execute arbitrary code.
Rootkits. Zero-day exploits. Social engineering. Encryption
cracking. Cryptography. File format fuzzing. Kernel exploitation. These
are just some of the buzzwords making the rounds at the Black Hat USA
2005 security conference here, where some of the sharpest minds in the
research community will congregate to share information on computer and
Internet security threats.
The Trusted Computing Group has announced an open specification
for trusted servers to allow manufacturers to offer better data and transaction
security. The specification launched by the industry standards body defines
the architecture of a trusted server including its management, maintenance
and communication between servers and clients.
3Com this week is expected to launch a program that offers cash
to members of the security community in return for information on potentially
damaging Internet-based security threats. Its Zero Day Initiative is an
attempt to prompt the disclosure of security vulnerabilities quicker by
giving independent security researchers incentive for pointing out holes
in software and hardware products that could lead to network attacks.
Some observers call the program a positive step toward making networks
safer, while others question how such a payoff system would work, or whether
third-party vendors -- including 3Com competitors -- would react negatively
to a system under which 3Com gives money to individuals for information
about product vulnerability before the affected vendors know about them.
A bug discovered in an operating system that runs the majority
of the world's computer networks would, if exploited, allow an attacker
to bring down the nation's critical infrastructure, a computer security
researcher said Wednesday against threat of a lawsuit.
Michael Lynn, a former research analyst with Internet Security Solutions,
quit his job at ISS Tuesday morning before disclosing the flaw at Black
Hat Briefings, a conference for computer security professionals held
annually here.
A security qualification is a must but
make sure it fits your field
25th, July, 2005
Europe will need another 680,000 information security professionals
by 2008, according to a survey by IDC on behalf of the International Information
Systems Security Certification. The survey found that most hiring managers
(93%) preferred candidates with security qualifications. ISC2 offers certificates
for systems security practitioners (SSCP) and professionals (CISSP), and
is one of several bodies to provide such qualifications. The survey found
that security specialists are also expected to understand business processes,
to help minimise risks as new systems are developed.
TippingPoint--part of 3Com--is soliciting hackers to report
vulnerabilities in exchange for money. If a valid bug is found, TippingPoint
will notify the maker of the flawed product and update its security products
to protect users against exploitation of the flaw until an official patch
is released.
A "highly critical" flaw has been reported in MySQL that can
be exploited to cause a DoS (Denial of Service) or to execute arbitrary
code on the open-source database, according to security alerts aggregator
Secunia Inc.
Trike - A Conceptual Framework for Threat
Modeling
26th, July, 2005
Trike
is a unified conceptual framework for security auditing from a risk management
perspective through the generation of threat models in a reliable, repeatable
manner. A security auditing team can use it to completely and accurately
describe the security characteristics of a system from its highlevel architecture
to its low-level implementation details.
Paying for Flaws: Undermining Security
or Rewarding Good Deeds?
26th, July, 2005
3Com Corp.'s announcement that its Tipping Point division would
start paying for the rights to security flaw information found by private
researchers has reignited an old debate: Should underground hackers benefit
from breaking into software systems?
Virus writers who once favored releasing malware that would
clog corporate networks by the thousands have shifted to a strategy of
secrecy in which they commandeer PCs on the Internet in the pursuit of
dollars instead of notoriety, a security expert said Friday.
First there was PGP e-mail. Then there was PGPfone for modems.
Now Phil Zimmermann, creator of the wildly popular Pretty Good Privacy
e-mail encryption program, is debuting his new project, which he hopes
will do for internet phone calls what PGP did for e-mail.
Zimmermann has developed a prototype program for encrypting voice-over
IP which he will announce tomorrow during a presentation at the BlackHat
security conference in Las Vegas.
Security intelligence company iDefense has sweetened its offer
to hackers who sell it details on new software vulnerabilities. The change
comes one day after rival TippingPoint started to offer rewards for pinpointing
bugs.
There seems little doubt amongst industry experts, that VoIP
usage will only grow over the next five to ten years. All public estimates
put the growth of the VoIP market in the billions over the coming decade.
Personal storage sites are a 'safe haven
for hackers'
28th, July, 2005
Websense, the employee management software outfit that's become
best known for heaping FUD on emergent net technolgies, has found a new
target. Hot on the heels of charecterising online storage sites as a conduit
for industrial espionage and blogs as a host of malware it's decided to
chastise personal web hosting sites as a "Safe Haven for Hackers".
SFTPPlus is immediately available as a method of secure file
transfer to meet corporate and regulatory requirements - offering additional
functionality to SFTP. It is expected to have widespread usage in all
sectors including government, local authority, retail, financial etc.
The current choice of tools for SFTP transfers is very large, but
generally these are designed for interactive use, and provide little
in the way of automated operations or audit trail for the client.
New tools could help bug hunters find vulnerabilities in popular
file formats, such as the JPEG and GIF image formats. Flaws in how applications
handle those file formats are drawing interest among security researchers,
according to speakers at the Black Hat security conference here.
